Individuals and organizations typically attempt to protect their computing resources using security software systems. To protect the computing resources, the security software systems may identify suspicious or unknown files on the protected computing resources and then attempt to classify those files as benign or malicious. In the process of identifying the files, the security software products may create a hash of a file and compare the hash to hashes of other known files in a security database. For example, a client-side security agent may compare the hash to hashes of files that the security system has previously encountered and identified. Additionally, or alternatively, the client-side security agent may compare the hash to hashes of other files that are stored in a server-side security database. Similarly, security software systems may analyze the behavior or other attributes of the file in an attempt to estimate whether the file is benign or malicious. Moreover, the vendor of the security software system may also use human experts who manually inspect the file in an attempt to properly classify the file.
The traditional systems for classifying files described above suffer from some disadvantages. The large number of suspicious or unknown files may overwhelm the computing and labor resources of the vendor of the security software system. Moreover, attackers may increase the number of suspicious or unknown files by using polymorphism. Security software systems necessarily commit significant resources to analyzing and classifying the large number of files that are constantly being created and distributed. Consequently, some malicious files may evade detection. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for classifying files.